28 lines
1.5 KiB
Markdown
28 lines
1.5 KiB
Markdown
# NoCrypt - AntiRansomware Linux Kernel Module
|
|
A small experimental project to make a defense tool to prevent ransomware attacks on Linux systems.
|
|
|
|
The module hooks the system call `sys_rename` using ftrace to monitor all the files renamed on the system.
|
|
|
|
Ransomware often encrypt a lot of files renaming them with the same suffix.
|
|
NoCrypt checks if a process renames a file with a known ransomware suffix, killing the process and printing a log in the message buffer of the kernel (use dmesg to view it).
|
|
|
|
NoCrypt has also a small behaviour check, if the same (parent) process starts to rename many files, after 12 renamed files by default, it'll be killed.
|
|
The module monitors the parent task because often ransomware are command line tools with multiple threads (different task structs).
|
|
|
|
**Consider this project a proof-of-concept you can easily customize for your needs. Actually it is not recommended to put it in production.**
|
|
|
|
|
|
Thanks to Immutable-file-linux project of Shubham Dubey
|
|
|
|
Reference for: https://nixhacker.com/hooking-syscalls-in-linux-using-ftrace
|
|
|
|
|
|
## Instructions
|
|
* Run `make` from terminal
|
|
* Load the module using `sudo insmod nocrypt.ko "max_rename=12" "behaviour_detection=true"`
|
|
|
|
## Example
|
|
Compile the example program `gcc -o example example.c`.
|
|
Now run it `.\example`, it will try to rename several test files into .lockbit.
|
|
Even if the input files don't exist, NoCrypt will kill the process because it's trying to rename files with a blacklisted extension.
|
|
Check the module output with `sudo dmesg`
|